Truecaller’s True Colors 


A Swedish adware & spyware app which feeds a public phonebook aimed at preventing spam... 


PLEASE READ IMPORTANT DISCLAIMER — PAGE 5 


September 28, 2022 — Truecaller (TRUEB:SS) is a Swedish adware & spyware app which feeds an inferior caller- 
identification service aimed at detecting spam. The EU’s General Data Protection Regulation (GDPR), and similar 
legislation across the globe, threatens Truecaller’s business, which we believe is on the brink of redundancy. 


It now resorts to skirting regulations and/or avoiding taxes through uncreative loopholes which we believe will 
be inevitably cut-off. 


Our report encompasses excellent reporting from various journalists across the world, interviews with former 
employees, and many cybersecurity experts who have shared breaches freely. Kudos. 


Viceroy Research is short Truecaller. 


How the app works 
Fundamentally, Truecaller builds a “phonebook” and refines its spam database by: 


= Gathering identities of users and their address books (where they are allowed to). This is by far the most 
valuable and invasive data users are providing to Truecaller. 


= Processing user-submitted “spam” numbers. 


= identifying numbers which have exhibited spam-like behavior such as calling multiple unrelated Truecaller 
users. 


The app then functions as a “phone book”: 


= Users can search phone numbers in the app, which will return names and other personal contact details 
attached to the number (including non-users). This feature is, unsurprisingly, popular with scammer and 
frauds. 

= Flagged “spam” callers will be sometimes be identified and sometimes blocked. 

= All calls are accompanied by pervasive ads. Ironically it is not in Truecaller’s interest to block spam calls. 


“An Indian Company” — What we tell compliance. 


GDPR threatened Truecaller’s spyware features which feed the spam detection service. In response Truecaller 
moved all its data servers and substantially all of its operations to India where management appear to believe it 
is safe from legislation designed protect the privacy of its customers. This is not the case. 


= |n 2017 Truecaller received a letter from the Article 29 Working Party (since replaced by the European Data 

Protection Board). This letter highlighted concerns of Truecaller’s processing of personal data immediately 

prior to the implementation date of GDPR: 

-  Truecaller scrapes personal information from its users, including personal information about non-users. 
“(data protection law] applicability cannot be excluded by a unilateral declaration or signed away by a 
user accepting contractual terms of True Software.” 

- | The personal data of non-users (collected without consent) is freely searchable by the public on 
Truecaller’s website (with some geographical restrictions). Truecaller makes no attempt to inform these 
non-users that their personal data has been accessed, or by whom. 

-  Truecaller associates phone numbers with contacts from users’ phones and makes no attempt to verify 
the information is “not excessive, is accurate, and, where necessary, kept up to date”. 
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In 2018, Truecaller moved its entire operations and data servers to India, believing this move will be 
sufficient at keeping EU regulators at bay. Viceroy consulted GDPR specialists on Territorial Scope (Article 
3) of GDPR, and note the following: 

- Art 3(1): “GDPR applies to the processing of personal data in the context of activities of an 
establishment of a controller or a processor in the Union, regardless of whether the processing takes 
place in the Union or not.” 

The bar for being regarded an establishment is low. Truecaller’s head office is in Sweden, and most of 
Truecaller’s revenue is billed from Sweden’. 

- Art 3(2): “This Regulation applies to the processing of personal data of data subjects who are in the 
Union by a controller or processor not established in the Union” 

Truecaller indiscriminately scrapes contacts from non-EU users, which undoubtedly will EU contact 
data. Despite some protections offered to EU subjects, the same app is made available to EU customers 
as a service. 


India’s own data protection bill is in draft and is expected to be published for consultation in the short term?. 
We expect that regulations, if passed, would pose similar problems for Truecaller as GDPR. 


Truecaller has been subject to two Public Interest Litigation cases in India. One is ongoing in the High Court 

of Bombay’. 

-  Lexters reports that the petitioner “contended that [Truecaller] collects the user’s information and 
without their consent or permission shares it with its partners, and then the liability is dumped on the 
users. The app does this by asking to access of various features to use the application. Further, the 
petitioner alleged that it is a manipulated set up as the users have no choice...” 


Viceroy believe Truecaller will be made to comply with EU data privacy regulation, and be caught by incoming 
Indian regulation nonetheless in the near term. 


“A Swedish Company” — What we tell the accountants. 


When the taxman comes knocking, Truecaller is a loud and proud Swedish company. Truecaller bills almost 
exclusively from Sweden from advertising customers/agents despite substantially all operations being in India. 
We believe Truecaller has failed to adhere to transfer pricing principles and is avoiding larger tax rates in India. 


Truecaller’s Indian auditors include an EOM in their audit opinion of Truecaller International LLC (Indian 
Subsidiary). 

“The management is in the process of seeking necessary approvals and taking appropriate steps thereof 
for the [transfer pricing transactions] under the Reserve Bank of India guidelines and GST tax laws”. 
Truecaller reported a loss in India for the local financial year ended March 2021, despite posting large 
consolidated profits for the same period. Truecaller paid no income tax in India in the most recent financial 

year. 

The Indian market comprises almost 80% of Truecaller revenues and over 70% of daily active users. 63% of 
Truecaller’s workforce is based in India. Truecaller’s user terms of service outside the EEA is specifically with 
“Truecaller International LLP”: which is Truecaller’s Indian subsidiary. Truecaller’s advertisement terms of 
service outside of the EU is similarly with “True Software Services India LLP”. 

Truecaller’s blog frequently brag that India is their “home market”, and that “Truecaller and India are made 
for each-other”. 

India’s effective corporate tax rates (~29%) are substantially higher than Sweden’s (20.6%). India also enacts 
a dividend withholding tax of 20% for foreign investors’. 


1 CJEU — C-131/12 Google Spain: Google argued that data processing activities were not conducted in the EU. CJEU held 
that activities of its EU establishment Google Spain, which sold advertising space, and Google’s non-EU search engine were 
“inextricably linked”, it must follow GDPR directives. 

https://gdprhub.eu/index.php?title=CJEU_- C%E2%80%91131/12 - Google Spain 

2 https://www.thehindu.com/opinion/interview/ashwini-vaishnaw-interview-new-draft-data-protection-bill-to-be-out- 
soon-for-consultation/article65822798.ece 

3 Shashank S/o Dinesh Posture & Ors V. The Union of India & Ors. PILL 9776 2021 

4 There is a double-taxation treaty between India & Sweden. 
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The Catch-22 


Truecaller is an Indian company when subject to GDPR and conducts almost all its operations in India. It’s transfer 
pricing method is reserved almost exclusively for undifferentiated services which don’t bear risk. 


Truecaller is a Swedish company when it’s time to lodge its tax filings. It pays taxes almost exclusively in Sweden. 
This is despite all processing risk and operations being carried out in India. 


Financials 


Truecaller operates a largely India-centric ad-based revenue model. It has evolved from various largely 
unsuccessful, outdated, or (now) illegal models and finally landed on something that appears to consistently 
generate cash and increase margins. Management no doubt want to cash-in while they can. 


Truecaller’s huge top-line growth since IPO was a one-time boost resulting from, ironically, spamming their 

users with more ads. 

- The Truecaller app advertisements historically were only pushed when unknown numbers called their 
users. Now ads are pushed to users on every call, including their known contacts, this boosted ad 
impressions by 4x, completely void of fundamentals. 

- This created a huge one-time revenue bump spread across approximately 2 years. Impressions per-user 
per-day are now flat or decreasing on a quarterly basis.Truecaller has pushed so many ads that it’s 
impressions now vastly exceed its own market opportunity estimates from its 2021 prospectus, 
barely a year old. 


Truecaller’s premium user base, previously stagnant, now appears to be falling. 


Management and key stakeholders have taken every opportunity to sell their stock and move on. 


Truecaller’s Indian auditor was also Wirecard’s local auditor for a time. They have more recently been 
banned from auditing financial institutions. 


Privacy concerns & third-party policy breaches 


Viceroy believes that Truecaller is in violation of Google’s Privacy Policy, which states: “We don't allow 
unauthorized publishing or disclosure of people's non-public contacts.” This appears to be a blanket statement. 


Truecaller’s app does not allow for an “enhanced search” if downloaded from the Play Store. 

-  Truecaller thinks that by enticing users into signing-in on its website (via Google accounts), it can then 
“Enhance Search” contacts by circumventing the app store. 

- | Many phones in India are sold with Truecaller pre-installed, and the app is available for download 
directly from the company website. These are not subject to Google Play rules, according to Truecaller. 

- The “enhanced search” feature scrapes all contact data from users phones into the Truecaller database. 

Accordingly: Truecaller’s database absolutely allows for search of non-user numbers and names without 

their consent. 


Freely available bootleg copies of Truecaller’s app are available with “premium enabled”. These likely 
contain malware, do not push ads to free users, and can still directly communicate with Truecaller’s data. 


Fundamental Short — Redundancy 


Most developed countries/regions have network spam filters operated by telecommunications agencies. 

These network filters now threaten underdeveloped markets where Truecaller thrive and will rapidly limit 

Truecaller’s TAM. 

- The Telecom Regulatory Authority of India (TRAI) announced intention to create an ID-based network 
filter which will make Truecaller’s spam filter redundant. The consultation paper is due next month. 

- The Draft Indian Telecommunication Bill section on caller identification reads like a Truecaller design 
brief, except using the national ID system and without ads. It also lists spam as an arrestable offence. 

-  Truecaller has claimed in various press pieces that Government regulation has not impacted their 
business in other geographies. This is because Truecaller has minute business in geographies with spam 
filters. 
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Original equipment manufacturers such as Apple, Google, Xiami & Samsung all have in-house spam filtering 

software, and capacity to wipe out Truecaller. 

Over-the-top services such as WhatsApp, are posing a greater threat to Truecaller through offering an 

alternative spam-free communication channel. 

- Call blocking is set on by default unless a user has the caller registered as a contact. 

- Former employees expressed a view that it would be impossible for Truecaller to supplant Whatsapp 
in India, or for the government to restrict Whatsapp. 

- WhatsApp has integrated many business functions with tech players and is due to arrive in India in the 
short term. This will deteriorate Truecaller’s aspirations to become a serious B2B player, spending only 
USD ~2m on R&D in 2021. 


The Sideshow 


Truecaller’s constant breaches & data security failures are met with constant denial from management, and are 
a spectacle to behold. Regulators in Truecaller target growth regions have cracked down on Truecaller out for 
privacy breaches. In fact, Truecaller’s system has been so effective for fraudsters to identify individuals that even 
international spy agencies have Truecaller slides in the training decks>. 


Indian Investigative Journal “The Caravan” published an in-depth report on Truecaller’s invasive app and 

interviewed several concerned employees on exactly how much data the company was able to access . 

- | Former employees claimed that Truecaller had access to user SMS messages and was able to build out 
a financial profile of each individual. In India most banking and transaction confirmations are done 
through SMS which Truecaller’s algorithm can read 

Nigeria’s National Information Technology Development Agency investigated Truecaller for “collect[ing] far 

more information than it needs to provide its primary service” among other things, and publicly urged 

Nigerians to delist themselves from the service. Truecaller stated that it planned to remedy the situation 

and fall in line with Nigeria’s Data Protection Regulation (NDPR)°. 

-  Truecaller’s new Nigerian Privacy Policy prohibits accessing a user’s address book if the app is 
downloaded from the Google or Apple app stores. 

Anonymous developer Angry Wizard detailed in 2019 how Truecaller’s user-data is transferred to a third- 

party mobile marketing company based out California on sign-up. User data is uploaded to Truecaller 

servers over GET. Angry Wizard claims that at the time he could access the entire Truecaller database. 

- Techpoint Africa verified this claim by sending user and non-user numbers, which Angry Wizard 
identified. 

- Screenshots show that EU resident data is still being processed by Truecaller until at least 2019, despite 
implementation of GDPR. 

Privacy International broke a story of an investigative journalist who was identified by a cab driver using 

true caller on her way to meet a secret whistleblower in West Africa. Ironically (and with sprinkle of victim 

bashing) Truecaller responded that the Journalist should have set her phone settings to “Do Not Show Caller 

ID”. 

-  Truecaller then claimed to be “especially appreciated by women” in India, claiming they have no other 
way to protect themselves from abusive calls unless they subscribe to an app “like Truecaller”. 

-  Truecaller then claims responsibility for solving for two horrific child kidnapping cases because 
kidnapper numbers were able to be reverse searched and their names identified. 

Millions of Truecaller users’ personal data were leaked and sold on the dark web in 2019’. 

- An investigation by the Economic Times suggested that European user data was sold for €25k, Indian 
user data for €2k°. 


6 NDPR is nascent secondary law, and awaits passing of the bill in the National Assembly. 
7 https://www.indiatoday.in/technology/news/story/personal-data-of-millions-of-Truecaller-users-available-on-dark-web- 


1531969-2anger019-05-22 


8 https://www.darknetstats.com/Truecaller-data-breach-personal-data-leaked-company-denies-breach/ 
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Attention: Whistleblowers 


Viceroy encourage any parties with information pertaining to misconduct within Truecaller, its affiliates, or any other entity 
to file a report with the appropriate regulatory body. 


We also understand first-hand the retaliation whistleblowers sometimes face for championing these issues. Where possible, 
Viceroy is happy act as intermediaries in providing information to regulators and reporting information in the public interest 
in order to protect the identities of whistleblowers. 


You can contact the Viceroy team via email on viceroy@viceroyresearch.com. 
About Viceroy 


Viceroy Research are an investigative financial research group. As global markets become increasingly opaque and complex 
— and traditional gatekeepers and safeguards often compromised — investors and shareholders are at greater risk than ever 
of being misled or uninformed by public companies and their promoters and sponsors. Our mission is to sift fact from fiction 
and encourage greater management accountability through transparency in reporting and disclosure by public companies 
and overall improve the quality of global capital markets. 


Important Disclaimer — Please read before continuing 


This report has been prepared for educational purposes only and expresses our opinions. This report and any statements 
made in connection with it are the authors’ opinions, which have been based upon publicly available facts, field research, 
information, and analysis through our due diligence process, and are not statements of fact. All expressions of opinion are 
subject to change without notice, and we do not undertake to update or supplement any reports or any of the information, 
analysis and opinion contained in them. We believe that the publication of our opinions about public companies that we 
research is in the public interest. We are entitled to our opinions and to the right to express such opinions in a public forum. 
You can access any information or evidence cited in this report or that we relied on to write this report from information in 
the public domain. 


To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from 
public sources we believe to be accurate and reliable, and who are not insiders or connected persons of the stock covered 
herein or who may otherwise owe any fiduciary duty or duty of confidentiality to the issuer. We have a good-faith belief in 
everything we write; however, all such information is presented "as is," without warranty of any kind — whether express or 
implied. 


In no event will we be liable for any direct or indirect trading losses caused by any information available on this report. Think 
critically about our opinions and do your own research and analysis before making any investment decisions. We are not 
registered as an investment advisor in any jurisdiction. By downloading, reading or otherwise using this report, you agree to 
do your own research and due diligence before making any investment decision with respect to securities discussed herein, 
and by doing so, you represent to us that you have sufficient investment sophistication to critically assess the information, 
analysis and opinions in this report. You should seek the advice of a security professional regarding your stock transactions. 


This document or any information herein should not be interpreted as an offer, a solicitation of an offer, invitation, marketing 
of services or products, advertisement, inducement, or representation of any kind, nor as investment advice or a 
recommendation to buy or sell any investment products or to make any type of investment, or as an opinion on the merits 
or otherwise of any particular investment or investment strategy. 


Any examples or interpretations of investments and investment strategies or trade ideas are intended for illustrative and 
educational purposes only and are not indicative of the historical or future performance or the chances of success of any 
particular investment and/or strategy. As of the publication date of this report, you should assume that the authors have a 
direct or indirect interest/position in all stocks (and/or options, swaps, and other derivative securities related to the stock) 
and bonds covered herein, and therefore stand to realize monetary gains in the event that the price of either declines. 


The authors may continue transacting directly and/or indirectly in the securities of issuers covered on this report for an 
indefinite period and may be long, short, or neutral at any time hereafter regardless of their initial recommendation. 
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1. How the App Works & Broad Privacy Concerns 


To understand the risks Truecaller poses to users — and thus the risk privacy laws pose to Truecaller — we have 
to understand how the app works. 


Building the Data 
Fundamentally, Truecaller builds a “phonebook” and refines its spam database by: 


= Gathering identities of users and their address books (where they are allowed to). This is by far the most 
valuable and invasive data users are providing to Truecaller. 

= Processing user-submitted “spam” numbers. 

= Identifying numbers which have exhibited spam-like behavior such as calling multiple unrelated Truecaller 
users. 


Using the App 


Viceroy has created various Truecaller IDs on various dummy phones to play around with privacy settings, trace 
data packets, check permissions and third-party trackers, and verify Truecaller’s privacy claims. 


Meet Mike Rotch: 


Identified by truecaller 


Mike Rotch 


Q Address 


© Email 


+& Save contact © Add tag Ø Suggest name Mark as spam 


THE DISPLAYED CONTENT IS UNMODERATED 


Figure 1 — Mike Rotch dummy Truecaller profile 


Mike is a hypothetical French Truecaller user with full permissions granted. Mike allowed Truecaller access to 
his contacts (John, Paul, George & Ringo) but because he is French, Truecaller cannot use this data in their 
database (GDPR — Section 2). 


Mike can search any number on the app, including random numbers in India, and find the person’s name if they 
or someone who has them as a contact uses Truecaller. Creepy. Truecaller states that the reverse search by 
name is not possible. This is untrue: 


=" Mike can search anyone’s name, for instance, an ex-girlfriend he wants to abuse. If she on the Truecaller 
app, she only has to click accept and all details will be shared. Mike also doesn’t have to use his real 
name: he can use any name he wants (maybe the name of a relative of this woman)’. 

= This woman could retaliate and ask all her friends on the Truecaller app to flag Mike as “spam”, 
inaccurately attributing incorrect personal information to Mike’s number. 


We also note that, in some instances, Viceroy name searches across Europe immediately showed the users’ 
phone numbers. 


9 For the sake of clarity, no member of Viceroy is named Mike Rotch and no ID was required to create this profile. 
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2. “We are an Indian Company” - GDPR Analysis 


GDPR violation 


Viceroy Research have consulted with various GDPR experts on the intricacies of a business model resembling 
Truecaller. We believe Truecaller is subject to GDPR, and in violation of: 


= Article 7 — Conditions for consent. 

-  Truecaller does not ask for consent from third party non-users when it processes their data. It instead 
asks users whether they have informed and obtained the consent of every contact they upload to 
Truecaller. 

= Article 14 — Information to be provided where personal data have not been obtained from the data subject 

-  Truecaller does not provide any of the information required to the data subject where their data was 
not obtained from them directly. Exemptions to this rule (archival purposes, scientific or historical 
research, statistical research) are not applicable to Truecaller. 

= Article 34 — Communication of a data breach to a subject. 


- Weare unable to find any time that Truecaller has discharged their obligations to notify data subject of 
a data breach. In fact, we are unable to find a single instance where Truecaller has been honest about 
data breaches even when they were confirmed by third parties through Truecaller’s search function. 


- We are unable to find any instances where Truecaller has notified non-user data subjects that their 
personal information has been incorrectly publicly displayed without their consent. 


Further, by failing to discharge their obligations under Articles 7 and 14, Truecaller is effectively depriving data 
subjects of their following rights: 


= Article 15 — Right of Access 

= Article 16 — Right to Rectification 

= Article 17 — Right to be Forgotten 

= Article 18 — Right to Restriction of Processing 


We tested this by adding several identities to Truecaller through a dummy account. None of these identities 
were informed or even contacted by Truecaller. You, our reader, may be part of the Truecaller database without 
knowing about it. You may even be marked as spam or under a different name. 


These issues came to a head in 2017 when the Article 29 Data Protection Working Party sent a letter to Truecaller 
about the information of third-party non-users?®. 


These are not violations that can be fixed with a patch or privacy policy update. These violations were exactly 
the fundamental way Truecaller built its database. 


Truecaller then moved their servers to India in 2018", we believe in part to take advantage of lax privacy and 
data protection laws. Despite moving data centers to India, Viceroy believe Truecaller is still subject to GDPR 
regulations, and that these regulations apply to all Truecaller users. 


10 https://ec.europa.eu/newsroom/article29/items/610173 


11 https://www.newindianexpress.com/business/2022/mar/29/bullish-about-indian-business-prospects-viewing-data- 
protection-law-positively-Truecaller-ceo-2435516.html 
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Does GDPR apply? 


Viceroy believe Truecaller is a data controller established in the EU under Article 3 of GDPR and bears the 
relevant responsibilities regardless of their data subjects’ location or nationality. 


The European Data Protection Board recommends a 3-step approach to determining applicability of GDPR**: 
3(1) — Establishment within the union. 


Truecaller’s head office is in Sweden, where it employs staff and therefore qualifies as an establishment. Experts 
told us that a small office or a branch would suffice, and that in some cases a single employee or agent with 
enough stability would satisfy the test. The billing of clients in Sweden is inextricably linked to the operational 
activities of Truecaller (whether in India, or abroad). 


3(2) — Processing of personal data carried out “in the context of the activities” of an establishment. 


Truecaller collects EU citizens phone numbers and information associated with it and uses this information to 
provide a service to EU citizen users which constitutes both monitoring EU citizen behavior and offering a service 
to them. 


True Software Scandinavia AB is the billing entity for all Truecaller revenues worldwide and the contracting entity 
and processor for users in the EEA. 


3(3) — Application of the GDPR to the establishment of a controller or a processor in the Union, 
regardless of whether the processing takes place in the Union or not. 


It should be noted that these criteria are not applied in aggregate but individually. By all measurements, 
Truecaller falls within the criteria for a company subject to GDPR. 


Further a guidance document by the EDPB clarifies that Article 3(1) considers “any personal data processing in 
the context of the activities of an establishment in the Union would fall under the scope of GDPR, regardless of 
the location and nationality of the data subject whose personal data are being processed. 


The text of Article 3(1) does not restrict the application of the GDPR to the processing of personal data 
of individuals who are in the Union. The EDPB therefore considers that « any | y personal data processing 
‘in the context of the activities of an establishment of a controller or processor in the Union would fall 
under the scope of the GDPR, regardless of the location or the nationality of the data subject whose 
personal data are being processed. This approach is supported by Recital 14 of the GDPR which states 
that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their 


nationality or place of residence, in relation to the processing of their personal data.” 
Figure 2 — Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) 


We are seeking clarification but it appears that through being a Swedish company Truecaller are responsible for 
GDPR-compliant treatment of all their customers, not just those in the EEA. 


As a Swedish company Truecaller is under the remit of the Swedish Authority for Privacy Protection 
(Integritetsskyddsmyndigheten). We have sent a copy of this report to the Integritetsskyddsmyndigheten. 


12 https://edpb.europa.eu/sites/default/files/files/filel/edpb guidelines 3 2018 territorial scope_en.pdf 
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3. “We are a Swedish Company” — A Hot Take on Taxes 


Immediately after it received a list of concerns from the Article 29 Working Group (Section 2), Truecaller moved 
“100%” of its data centers and substantially all its operations to India to be GDPR “compliant”. 


We fully expect Truecaller to respond to our report of GDPR breaches with something like this: 


“European Data Protection Board guidelines 3/2018 on the territorial scope of the GDPR Article 3 state 
that the mere presence of having employees in India is not sufficient to trigger the application of GDPR. 
For processing in question to fall under GDPR, it must also be carried out in the context of the activities 


of the EU-based employees.” 


The argument Truecaller will no doubt make is that it is first and foremost an Indian company with all respect to 
operations and R&D. It only maintains billing and other head office activities in Sweden”. This has clearly caught 


the attention of the Royal Bank of India and Truecaller’s auditors. 


In 2021: 56% of “average number of employees” and 63% of “new hires” were in India. 


Of whom 
Average number of employees 2021 women, % 
Sweden 120 21% 
india 155 26% 
Total 275 24% 
Of whom in the parent company (Sweden): 1 0% 

Region # % 

Sweden 41 37% 

India 70 63% 

Kenya 0 0% 

Total 111 100 % 


Figures 3 & 4 — Truecaller Annual Report 2021 


Even substantially all Truecaller’s global R&D appears to be done in India (an embarrassing SEK ~20m in 2021). 


Figure 5 — Truecaller International LLP Annual Report 2021 


India is also Truecaller’s biggest market, representing over 70% of users and 78% of revenues as of Q2 2022. 


Revenues distributed by region 

Net sales in India grew 130 percent to SEK 378.7 million (164.6), 
in the Middle East & Africa by 38 percent to SEK 55.9 million 
(40.5), and in the rest of the world by 31 percent to SEK 45.8 


million (34.9). 
A = [dia 78.9% 
e ® Africa and Middle East 
11.6% 
= ROW 9.5% 


Figure 6 — Truecaller Annual Report 2021 


How much tax does Truecaller pay in India? Zero. 
This is incompatible with Truecaller’s GDPR stance. 


13 CEJ Google Spain case found that activities related to Google Spain’s billing (in Spain) and data processing (outside EU) 


were inextricably linked, thus subject to GDPR. 
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A dive into a loss-making Indian subsidiary 


Truecaller’s Indian Subsidiary, “Truecaller International LLP”, has an emphasis of matter in its audit report for 
2021, stating that management is “seeking approvals” and “taking steps thereof” under the Reserve Bank of 
India’s guidelines for transfer pricing and GST (VAT). Reading between the lines, Viceroy believe Truecaller are 
under investigation for tax fraud in India. 


21 Contingent liabilities and commitments 


Figure 7 — Truecaller International LLP Annual Report 2021 


Truecaller bills almost all services and ads from Sweden. It does not appear to charge or pay GST, as it classifies 
ad sales to Indian consumers as an export service. This includes ad sales to Indian users by Indian companies. In 
these respects Truecaller now considers itself a “Swedish Company” 14. 


A dive into local Indian accounts show that Truecaller India bills substantially all its revenue from Sweden. 
However, these bills are not even sufficient to break-even. 


b) Secondary business segment 


THe LL condary eg are b 


Other assets used by the LLP’s business or liabilities contracted have not been identified to any reportable geographical segments as the other assets and services are used 


interchangeably between segments. Refer note 2.1m 


Secondary segment information 


(Amount in Rs.) 


Segment revenue 


527 


India 163,378,368 


70 


15.800.387 


Others 60.331.590 46,714,548 
Total 1,300,599,585 765,058,750 


Trucealler International LLP 


LLP Identity Number (LLPIN) - AAK3926 
Statement of Income and Expenditure for the year ended March 31, 2021 


All amounts in Indian Rupees (Rs.), except stated otherwise (Amount in Rs.) 
Notes March 31, 2021 March 31, 2020 
Income 


1.300.599 585 765.058.750 
29,096 


Revenue from operations 
95,612 


Other income 


Expenses 


Employee benefit expenses 14 416,356,015 350,200,172 


Employee share based payments (including prior period expense of Rs 120 124.396.948 442.710.921 
nil (March 31, 2020: Rs.244,588,132) 


Hosting charges 392,013,571 267,492,897 
SMS and phone verification charges 153,205,700 99,018,079 
Advertisement and business promotion expenses 117,841,190 $2,321,430 
Other expenses Is 211.656.405 143,242,006 
Fotal expenses (ii) M S 
(Deficit)/surplus before tax | (ii) = G) - Gi) | (114,774,632) (619,897,659) 


L 


Figures 8 & 9 — Truecaller International LLP Annual Report 2021 


Truecaller International’s reported loss was SEK 15m, despite itself recording SEK ~15m in 
profits in the same period. 


14 We note that local advertisement agencies may indeed collect GST on behalf of end users. There is an argument to be 
made here on competitive nature of this from a basic pricing perspective. 
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Transfer Pricing Methodology 


Currently, Truecaller prescribes a “cost-plus” method for transfer pricing out of India. This is a prescribed 
transfer pricing method but is more commonly used for undifferentiated manufacturing goods with various 
comparable market prices. 


Income from software development services: 


T= <<—<§£ l S = Conos 
partner entity on a 


Figure 10 — Truecaller International LLP 


Viceroy do not believe this method will be accepted by the RBI for the development and operational running 
costs of Swedish software being sold primarily to the Indian market?. We highly suspect that this is the 
underlying reason for the auditor’s EOM in Truecaller International LLP’s financial accounts. 


Case studies already exist where Transfer Pricing Officers have disputed cost-plus models from industries trying 
to abuse Indian cost-plus transfer pricing, and were forced to recognize profits on an appropriate ratio based on 
the “functional profiles” of international customers and local taxpayer “suppliers”*®. 


The effective tax rate in India is ~29%, and income is subject to a further dividend withholding tax of 20%7 3°. 
Thus, the Catch-22: 


= Truecaller is an Indian company when subject to GDPR and conducts almost all its operations in India. It’s 
transfer pricing method is reserved almost exclusively for undifferentiated services which don’t bear risk. 

= Truecaller is a Swedish company when it’s time to lodge its tax filings. It pays taxes almost exclusively in 
Sweden. This is despite all processing risk and operations being carried out in India. 


Viceroy will not place value on possible tax implications given the complexity of transfer pricing guidelines and 
the tax treaty between Sweden & India. We have high conviction that Truecaller will be subject to far higher tax 
obligations when properly accounted for. 


45 Readers should research intricacies and various limitations to cost-plus transfer pricing, including how tax agencies view 
risk-taking activity, and how parties are inextricably linked. 

16 https://www.pwc.com/gx/en/international-transfer-pricing/assets/india.pdf 

17 https://taxsummaries.pwc.com/india/corporate/taxes-on-corporate- 
income#:~:text=A%20beneficial%20CIT%20rate%20o0f,from%20tax%20year%202019%2F20. 

18 https://taxsummaries.pwc.com/india/corporate/withholding-taxes 


Viceroy Research Group 11 viceroyresearch.org 


4. Financial Analysis 


Revenue Growth One-Off 


Truecaller’s ad revenues have increased massive since its IPO, completely uncorrelated from user growth. This 
is because Truecaller ironically spammed customers with more ads. 


A transcript of a Tegus?? interview with a former Truecaller employee, sighted by Viceroy, stated the following 
stated the following: 


“One thing that Truecaller said recently, how they increase their ads per user, right? If you look at the 
history, in the last couple of years, it seems to have increased, right, the number of use of ads per 
user...maybe the one thing that's very important to understand...let us say | get a phone call... from a 
user who is not in my address book or my phone book, Truecaller will show a pop-up with some name 
or whatever...then there would be an advertisement attached to it 


So, if my mom or dad or somebody else called, then Truecaller would not have a pop-up because there 
is no value to be added because I know who is calling... my phone itself will tell me that my dad is calling. 


Just before their IPO, they decided to just open it up to everybody, just show [ads] for every call that 
comes... that means if | get 10 calls per day, earlier, | might have seen the ad once. But suddenly, I see 
[ads] 10 times, right, because it's from known people, which means that growth is a onetime thing. It's 
not sustainable.” 


- Tegus Interview (emphasis added) 


The Truecaller app advertisements historically were only pushed when unknown numbers called their users. 
Now ads are pushed to users on every call, including their known contacts. If you block some spam calls, you 
can’t monetize ads on those calls. It’s all very ironic. 


This created a huge one-time revenue bump driven by a 3-4x increase in user impressions spread across 
approximately 1 year, with no visible or consistent improvement to impressions monetized. Impressions per- 
user per-day are now flat/decreasing q/q. 


Advertising Analysis - Truecaller 2022 
Q1 Q4 Q1 Q2 
Average Daily Active Users 174 239 248 255 
qoq change 4% 4% 3% 
Advertising revenue SEKm 339 339 414 
qoq change 28% 0% 22% 
Impressions/user/day n 12 12 12 
qoq change 19 8% 4% -1% 
CPM SEK 1.18 1.28 “ 0.89 1.05 1.18 1.34 1.24 1.49 


Figure 11 — Advertising Analysis — Viceroy Research 


19 https://www.tegus.com/ 
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Somehow exceeding “market opportunity” 


To get a sense of how absurd Truecaller’s ad placement has become, it already exceeded its total “market 
opportunity” as identified in its prospectus issued in Q3 2021, by Q2 2021. As of Q2 2022, Truecaller’s annualized 


impressions have flatlined around 1,100 billion: 


| Advertising Analysis - Truecaller 2020 2021 2022 
Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 
Advertising revenue SEKm 103 149 146 199 266 339 339 414 
CPM SEK 1.28 1.24 0.89 1.05 1.18 1.34 1.24 1.49 
Impressions annualized illions 323 480 654 757 901 1,012 1,093 1,112 


Truecaller has high-value inventory that serves over 10,000 
advertisers on its app, including marquee advertisers like 
Spotify, Disney+ Hotstar, Vivo, ZEE5 and Flipkart, who leverage 
Truecaller's platform to broaden their reach. In 2020, Truecaller 
had over 294 billion total annual impressions monetized 
(approximately 4.3 daily impressions per DAU) at a CPM of SEK 
1.23. 


Figures 12 & 1314 — Viceroy Analysis and Truecaller Prospectusm respectively 


Readers can also observe that increases in CPM are negatively correlated with impression growth. Viceroy 
believe growth has or will plateau over the coming 12 months, data protection issues aside. 


Premium userbase falling 


Truecaller’s premium subscriber counts appear to be falling as raw user counts are increasing. We can determine 
premium user numbers through the following equation. 


Quarterly Premium User Revenue 


Monthly Premium User ARPU x 3 ee eon 
Premium User Analysis - Truecaller 2020 2021 2022 
| Q3 a4 Q1 Q2 Q3 Q4 Q1 Q2 
| ARPU per premium subscriber SEK 8.1 8.1 7.4 7.6 8.8 8.4 8.1 8.7 
India 5.0 4.9 4.1 4.3 6.1 5.4 4.5 572 
MEA ) 10.7 10.8 10.0 9.9 10.0 9.9 10.1 10.6 
Rest of world 13.9 13.5 HAT 121 11.9 11.6 11.8 n25 
Premium user revenue 31.0 33.3 34.0 34.5 35.0 35.6 
Premium subscribers 1,275,720 1,373,762 1,533,604 1,521,164 1,322,751 1,407,671  1,61( 5 1,582,569 
Est. premium user penetration 0.67% 0.68% 0.73% 0.70% 0.58% 0.59% 65% 0.62% 


Figure 15 — Premium User Analysis — Viceroy Research 


Truecaller claims premium growth has been stumped due to a Google dispute with the Royal Bank of India which 
has temporarily disallowed subscription auto-renewals. The reality remains that Truecaller’s revenue growth 


from premium customers can be largely attributed to pricing increases. 


Interviews with former employees did not corroborate management’s views on premium subscriber growth. A 
Tegus interview with a former Truecaller employee, sighted by Viceroy, stated the following: 


“So, the thing is subscriptions, again, approximately, again you can check it from their prospectus, but 
there were about 1m to 1.5m subscribers paying about, | don't know, $2 a month or something like that, 
right? So probably even lesser because in India, it is about $0.50 a month approximately. But that is a 
stagnant business. It is not growing since the last couple of years.” 


- Tegus Interview (emphasis added) 
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No skin in the game 


Don’t be fooled: Truecaller management is laughing all the way to the bank. Management and early investors 
have taken every opportunity available to offload as much stock as possible. A non-exhaustive list of enormous 
placements follows: 


The Truecaller IPO comprised of only 19m newly issued B-shares against 34m B-shares sold by existing 
shareholders, including the company’s founders and venture capitalists. 


|e The price in the Offering has been set at SEK 52 per Class B share, corresponding to a market 


capitalization of approximately SEK 19,431 upon completion of the Offering. 

e The Offering comprised 53,414,532 Class B shares, of which 19,230,770 are newly issued Class B 
shares and 34,183,762 Class B shares sold by certain existing shareholders, including among 
others the Company's founders Alan Mamedi and Nami Zarringhalam, Sequoia Capital India, 
Atomico, Kleiner Perkins and certain companies[1] structured to manage long-term incentive 
programs for the Company's employees. 


Figure 16 — Truecaller IPO brief?’ 


Major early backers Sequoia, Kleiner Perkins & Atomico sold a further 21 million B-shares on 17 May 2022: 


Stockholm, 17 May 2022 


Sale of B-shares in Truecaller AB (publ) 


Atomico', Kleiner Perkins? and Sequoia Capital India? have sold 21 million existing B-shares in Truecaller AB (publ) 
(“Truecaller”) through an accelerated book-building to Swedish and international institutional investors at a price of SEK 
61.2 per share (the “Share Sale”). 


Figure 17 — Press Release Sale of B Shares by major backers?1 


Atomico sold the remainder of its position earlier this month: 5 September 2022 


[stockhoim, 5 Sep 2022 


|Sale of B-shares in Truecaller AB (publ) 


|Atomico' has sold its entire remaining stake of 8,226,738 B-shares in Truecaller AB (publ) (“Truecaller”) to a limited 
|number of long only Nordic and international institutional investors (the “Share Sale”). The Share Sale represents 


Japproximately 2.2% of the total number of shares outstanding in Truecaller. 
L 


Figure 18 — Press Release Sale of B Shares by Atomico?? 


Sequoia remains Truecaller’s largest shareholder and a part of the company’s board, but the existence of 
directors’ A-shares dilutes Sequoia’s ~20% financial interest to little over 8% voting rights: 


Name Num. of shares Change Capital Votes Verified 


Sequoia Capital 63,521,491 -712,788 16.76% 7.99% 2022-08-29 
Nami Zarringhalam 27,185,487 0 7.17% 29.90% 2022-08-29 
Alan Mamedi 27,185,487 0 7.17% 29.90% 2022-08-29 


Figure 19 — Truecaller’s top shareholders as of 27 Sep 202273 


It largely appears as though major backers are losing interest. Buyer beware. 


22 https://news.cision.com/se/carnegie/r/sale-of-b-shares-in-truecaller-ab--publ-,c3626238 


23 https://corporate.truecaller.com/investors/the-share 
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Indian Auditors: SR Batliboi 


Truecaller’s local Indian auditor has received the largest fine handed to auditors in India’s history for its audits 
of Axis Bank and Yes Bank. 


RBI bars EY group's Batliboi 
from auditing bank books for 
one year 


The central bank says it found lapses in the books of banks audited by the firm 


Topics 
Sr Batliboi | Reserve Bank Of India | Audit Firms 


Figure 20 — RBI bars EY group Batliboi from auditing bank books for one year- Business Standard”* 
SR Batliboi was also the local auditor for some of Wirecard’s Indian subsidiaries. 


We note that SR Batliboi cited ‘inability to continue’ for the Star Global audit on 12 July 2017. SR Batliboi also 
signed for Visa Processing Services (Wirecard India) on 26 September 2016. 


The firm was also found prima facie guilty by the Institute of Chartered Accountants of India for its audit of 
Infrastructure Leasing and Financial Services”. 
anf Figs Yovww.mga go. 


Changes of auditors after takeovers are not unusual however, and Wirecard should Weturally want to align audit in India to the 
E&Y affiliate; SR Batliboi. SR BEMIBGI is a JV (of Ernst & Young and S.R. Batlinoi). E&Y lists 12 firms,& affiliates ta India at 05 
January 2018. However, SR Batliboi only audited Visa Processing Services ahd affother Wirecaftéebusiness fer ope year (Star 


Global), in India 


We already noted that SR Batliboi cited ‘inability to continue’ forthe StanGlobal audit’ea12 July 2017. $R’Batliboi was in place 


on Visa Processing Services (Wirecard India) for signing on@6"September 2076 


Figure 21 — Extract from The Analyst report on Wirecard?6 


Enough said. 


24 https://www.business-standard.com/article/companies/rbi-bars-ey-group-s-batliboi-from-auditing-bank-books-for-one- 

year-119060301662_1.html 

5 https://www.taxscan.in/icai-ilfs-auditors-guilty-professional-misconduct/31368/ 

26 https://d1032tunhOh64a.cloudfront.net/6465/Wirecard---Audits-and-Revenue-Recognition-Concern-14-02-2019 FINAL- 
VERSION. pdf 
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5. Privacy concerns & third-party policy breaches 


Google Privacy Policy Violation 


Viceroy believes that Truecaller is in violation of Google’s Privacy Policy. Google’s privacy policy states, “We 
don't allow unauthorized publishing or disclosure of people's non-public contacts.” and has remained unchanged 
since at least 20167”. 


Your app handles non-public We don't allow unauthorized publishing or disclosure of 
phonebook or contact information people's non-public contacts. 
Figure 22 Google User Data Guidelines 


Without re-exploring GDPR and limitations already placed on play-store downloads: Truecaller uploads entire 
contact books of Truecaller pre-installed phones & from APK website downloads. These contacts are searchable 
without the consent of non-users. We know: Viceroy have conducted several successful searches of non-user 
Indian friends who actively appear on Truecaller’s contact book. 


Former employees confirmed that the Truecaller app downloaded from the Google Play store does not scrape 
contact book data. 


However: former employees also advised that Truecaller have ingeniously (sarcasm) bypassed Google Play’s 
policy by enticing users to sign into their accounts via web browser through their Google accounts where 
“Enhanced Search” feature is auto-clicked “on”. Truecaller allegedly believes this is not a breach of the Play 
Store’s privacy policy. 


Sign In 


Sign in to search phone numbers 


G SIGN IN WITH GOOGLE 


SIGN IN WITH MICROSOFT 


I'm a resident of India v 


By enabling Enhanced Search, your contacts are securely shared with Truecaller. This 
improves accuracy of your search results and helps improve the experience for millions of 
users around the world. 


By signing in, | accept the terms of service and privacy policy 


Your privacy is important to us 
Please review below the key points of our privacy policy 


Figure 23 — Sign-In Landing Page snippet — 27 Sep 202278 


27 https://support.google.com/googleplay/android-developer/answer/10144311 ?hl=en 


The above site was indexed by google on June 15, 2016 
28 https://www.truecaller.com/auth/sign-in 
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Viceroy believe Truecaller has also intentionally misconstrued “publishing and disclosure” with “searchability” 
in its Google Play Store privacy notice: 


Your data stays safe with us. | 


Truecaller does not upload phonebooks to make them r public from Google Play or 
Apple App Store downloads. We strictly follow the Google Play & Apple App Store guidelines, which 
prohibit any app from doing so. 


Figure 24 — How Truecaller’s Caller ID Works — Your Questions Answered?2 
To be clear: Truecaller non-users are searchable on the Truecaller App downloaded from the Play Store, thus 


disclosing people’s non-public contacts from Truecaller’s historic data and direct-install users. This will only 
continue as the company pursues pre-installed versions as a bridgehead into newer markets”. 


Truecaller’s publicly searchable numbers have already been used to perpetrate the very scams it claims to stop 
with perpetrators using Truecaller’s number search to find targets to contact on WhatsApp and ask for funds. 


Figure 25 — The world of WhatsApp impersonation scams - newslaundry34 


Truecaller’s prospectus states that it had approximately 5.7b consumer and business identities and that the 
company, far exceeding the number of users. 


| Truecaller’s comprehensive reach built over the 12 years since 
its founding has enabled it to develop a unique data asset. 
With approximately 5.7 billion consumer and business phone 
numbers identified, Truecaller’s massive database of identified 
| phone numbers ("identities") built by the community and 


Figure 26 — Truecaller prospectus 


29 https://www. Truecaller.com/blog/features/how-Truecallers-caller-id-works-your-questions-answered 
30 https://timesofindia.indiatimes.com/gadgets-news/android-phones-may-soon-come-preloaded-with-Truecaller-app-in- 


these-countries/articleshow/89423906.cms 


31 https://www.newslaundry.com/2022/09/16/the-world-of-whatsapp-impersonation-scams-using-the-identities-of-the- 
rich-and-powerful 
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Unnecessary levels of access 


Truecaller’s website features a page called “permissions required at the time of registering your number on 
Truecaller’**. This list is already extremely invasive; however, Viceroy’s own checks show many more 
permissions are sought, and many trackers active in order to sell you advertisements. 


Trackers 
A | 
E 426 © | Criteo > 
Facebook Ads > 
Ms Advertisement 
Truecaller Facebook Analytics > 
Analytics 
© 13 HEZE a User cs) 
Facebook Login > 
Installed Version Identification 
12.37.8 
Analyzed Version Google AdMob > 
12456 Advertisement 
Report created on 17 September 2022 | 
Google CrashLytics > 
© Trackers [Permissions | TOR 
| 
| 
Trackers Google Firebase Analytics > 
We have found code signature of the following Analytics 
trackers in the application: 
IAB Open Measurement 
Amazon Advertisement > | P > 
Identification Advertisement 
Appnext > | 
AppsFlyer > Vungle > 
Analytics Advertisement 
CleverTap > A tracker is a piece of software meant to collect 
data about you or your usages 
Analytics Profiling Location | Learn more, 
—_ = —— 


Figures 27 & 28 — Exodus Privacy Truecaller Tracker Report — Sample dated 17 Sep 2022 


We make note that several of these third-party trackers do not appear on Truecaller’s disclosed list of third- 
party data processors: 


= Amazon is not a listed third-party data processor in any advertising or marketing category. 
= Vungle, or its parent company Chartboost, is not a listed third-party data processor in any advertising or 
marketing category. 


Another persistent concern notably raised in The Caravan investigation into Truecaller is the app’s ability to read 
SMS messages to build a full financial profile of the user. A former employee confirmed that the company’s 
algorithm can read SMS messages, which the company denies. 


| Google Asia Pacific Pte. Ltd.; Facebook Ireland Limited; Twitter 
Advertising International Company; Rubicon Project Inc.; InMobi Technology 
To provide advertising to the users (subject to user Services Pvt. Ltd.; Outbrain Inc.; OpenX Software Limited; Pubmatic 
consent in the app and third-party platforms) Inc.; Smaato Inc.; Dan Ads International AB; Appnext; Times 


/Columbia; Criteo; Chocolate Platform; Adsolut; IndexExchange 


| Communications or marketing 
To provide users who have opted to provide their 
email address with information about Truecaller 
including changes to policies and features or selected 
offers from third parties (where users have consented 
to special offers and promotions in the Privacy Centre). 


Figures 29 & 30 — Extract from Truecaller “List of third-party data providers” — 21 Sep 202134 


SendGrid Inc.; CleverTap; NetCore 


32 https://support. Truecaller.com/support/solutions/articles/81000392522-permissions-required-at-the-time-of- 
registering-your-number-on-Truecaller 

33 https://caravanmagazine.in/technology/Truecaller-data-consent-india-privacy-laws 

34 https://www. Truecaller.com/third-party-data-processors 
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Permissions 


Permissions 


We have found the following permissions in the 
application 


ACCESS_COARSE_LOCATION 
Access approximate location only In the 
foreground 


ACCESS_FINE_LOCATION 
Access precise location only in the 
foreground 


ACCESS_NETWORK_STATE 


View network connections 


ACCESS_NOTIFICATION_POLICY 
Access Do Not Disturb 


ACCESS_WIFI_STATE 
View Wi-Fi connections 


ACTION.HANDLER 
Com truecaller. permission ACTION HANDLER 


ANSWER_PHONE_CALLS 


Answer phone calls 


AUTHENTICATE_ACCOUNTS 
Android.permission, AUTHENTICATE_ACCOUNTS 


BADGE_COUNT_READ 
Me.everything. badger. permission BADGE_COUNT 
-READ 


BADGE_COUNT_WRITE 

Me. everything badger, permission. BADGE_COUNT 
WRITE 

BIND_NOTIFICATION_LISTENER_SERVICE 


Android,permission.BIND_NOTIFICATION_LISTEN 
ER_SERVICE 


READ_CALL_LOG 


BLUETOOTH 
Pair with Bluetooth devices 


BLUETOOTH_CONNECT 
Android.permission.BLUETOOTH_CONNECT 


BLUETOOTH_SCAN 
Android.permission.BLUETOOTH_SCAN 


BROADCAST_BADGE 
Com.sonyericsson.home. permission. BROADCAST 
_BADGE 


CALL_PHONE 


Directly call phone numbers 


CAMERA 
Take pictures and videos 


CHANGE_BADGE 
Com.huawei android.launcher permission. CHANG 
E BADGE 


CHANGE_NETWORK_STATE 
Change network connectivity 


CROP 
Com.miui.mediaeditor.permission, CROP 


DISABLE_KEYGUARD 
Disable your screen lock 


EDIT_PROFILE 
Com.truecaller.permission.EDIT_PROFILE 


ENHANCED_NOTIFICATION 
Com.truecaller.permission.ENHANCED_NOTIFICA 
TION 

FOREGROUND_SERVICE 

Run foreground service 


GET_ACCOUNTS 


Find accounts on the device 


INSTALL_SHORTCUT 
Install shortcuts 


INTERNET 
Have full network access 


MANAGE_ACCOUNTS 
Android.permission. MANAGE_ACCOUNTS 


MANAGE_OWN_CALLS 
Route calls through the system 


MMS_SEND_OUTBOX_MSG 
Android.permission. MMS_SEND_OUTBOX_MSG 


MODIFY_AUDIO_SETTINGS 
Change your audio settings 


PROCESS_OUTGOING_CALLS 
Reroute outgoing calls 


PROVIDER_INSERT_BADGE 
Com.sonymobile.home.permission. PROVIDER_IN 
SERT_BADGE 

READ 


Com.sec.android provider. badge permission. REA 
D 


read_account_state 
Com.truecaller.permission.sdk,internal.read_acco 
unt.state 

READ_APP_BADGE 

Android,permission. READ_APP_BADGE 


READ_CALL_LOG 
Read call log 


USE_FULL_SCREEN_INTENT 


Read call log 


READ_CONTACTS 
Read your contacts 


READ_EXTERNAL_STORAGE 
Read the contents of your shared storage 


READ_PHONE_NUMBERS 
Read phone numbers 


READ_PHONE_STATE 
Read phone status and identity 


READ_PROFILE 
Android.permission.READ_PROFILE 


READ_SETTINGS 
Com. htc. launcher.permission.READ_SETTINGS 


READ_SETTINGS 
Com, huawei.android launcher permission. READ_S 
ETTINGS 


READ_SETTINGS 
Com.oppo.launcher permission READ_SETTINGS 


READ_SMS 
Read your text messages (SMS or MMS) 


RECEIVE 


Receive data from Internet 


RECEIVE_BOOT_COMPLETED 
Run at startup 


RECEIVE_MMS. 
Receive text messages (MMS) 


RECEIVE_SMS 


Android.permission.USE_FULL_SCREEN_INTENT 


USE_NUMBER_SERVICE 


Com.truecaller.permission. USE_NUMBER_SERVIC 
E 


VIBRATE 
Control vibration 


WAKE_LOCK 
Prevent phone from sleeping 


WRITE 
Com,sec, android, provider.badge.permission, WRIT 
E 


WRITE_CALL_LOG 
Write call log 


WRITE_CONTACTS 
Modify your contacts 


WRITE_EXTERNAL_STORAGE 
Modify or delete the contents of your 
shared storage 

WRITE_SETTINGS 

Modify system settings 


WRITE_SETTINGS 
Com.huawei.android.launcher.permission. WRITE. 
SETTINGS 

WRITE_SETTINGS 
Com.oppo.launcher.permission,WRITE_SETTINGS 


WRITE_SMS 
Android permission, WRITE_SMS 


The icon ! indicates a ‘Dangerous’ or ‘Special level 
according to Google's protection levels. 


Figures 31, 32, 33, 34 & 35 — Exodus Privacy Truecaller Tracker Report — Sample dated 17 Sep 2022 


= Location data is shared to Truecaller, who claim that it is to “share location via SMS/Chat or Flash” and to 
“regionalize the top spammer list”. This is laughable. Truecaller does not disclose that location is shared to 
third party marketing agencies to sell user advertisements. 

= Truecaller accessed users’ network locations, wifi, and network states. This is not disclosed in their 
“permissions” page. 


Truecaller claims it on its “permissions” page that Contact book access is needed to know if callers are in users’ 
contact books to show caller ID. It fails to mention that in many countries your data is used to fill their database. 
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Bootleg copies 


For an app that claims to be all about privacy and security the Truecaller app appears to be remarkably unsecure. 
Despite the high-tech impression of the Truecaller app, there are literally hundreds of listings for downloading 
the premium or gold bootleg or “cracked” versions of the app on most torrent or .apk download sites. 


This is concerning as it shows that the Truecaller app has been compromised, and has been for some time, likely 
through exploiting its license verification code. 


Viceroy confirmed these cracked versions can communicate with Truecaller servers and appear as legitimate 
Truecaller Gold service users. We used an account registered on the official Truecaller website (Mike Rotch, 
mentioned above) and were able to log in without issue and were able to call other Truecaller numbers. 


A) al S GS: 9:26 3% --- all S E 
® Truecaller 09-21 09:26:34 
192.121.90.192:443 TCP No data 
presence-grpc-se1.truecaller.com SSL 
t Truecaller 09-21 09:26:26 F - 
192.121.90.192:443 TCP No data Here i f 
presence-grpc-se1.truecaller.com SSL re 
i » — e Ld 
K Truecaller 09-21 09:26:23 ot @ UNLOCKED 
192.121.90.168:443 TCP No data 1 = 
ingress, truecaller.com SSL . 
Gold Caller ID » P=] 
wv Truecaller 09-21 09:26:21 
192,121.90.192:443 TCP No data 
- 
presence-grpc-se1 .truecaller.com SSL e . a 
E Truecaller 09-21 09:26:20 
a 
192.121.90.193:443 TCP No data 
messenger-se1 .truecaller,com SSL 
E Truecaller 09-21 09:26:19 . be 
, 
192.121.90.192:443 TCP No data y 
presence-grpc-se1.truecaller.com SSL e 
= 
T 09-21 09:26:17 a 
i. ruecaller 93-21. 99:49 ` = 
192.121.90.192:443 TCP No data @ UNLOCKED 
‘i © + 
presence-grpc-se1.truecaller.com SSL , 
D ~ © ' 
p . + 
(SN Truecaller 09-21 09:26:17 Advancéd Spam Blocking 
192.121.90.168:443 TCP No data z e 
ingress.truecaller.com SSL 
t Truecaller 09-21 09:26:16 b $ o Automatically update top 6 
192.121.90.192:443 TCP No data spammers e 
presence-grpc-se1.truecaller.com SSL \ e 
Top spammers will be automatic€llyy 
ae updated o your phone 
D Truecaller 09-21 09:26:14 P A 
2.250.178.138:443 TCP No data ` 
aI AID in AN TAINAN nant co 
Calls Messages Contacts Premium Blocking 
| @ < | (O) < 


Figures 36 & 37 — Truecaller Packet capture and Truecaller Premium page on cracked app 


Experts contacted by Viceroy stated that it would be fairly easy to modify these cracked versions to extract 
Truecaller’s entire database. While the app seemed to restrict searches after a period of intense searching, a 
simple reinstallation seemed to reset our connection. 


Further the number of versions that have been cracked and the timespan implies these vulnerabilities have 
existed since 2016: over 300 versions of the app were found on one site alone. 
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Security Breaches 


Truecaller has been hacked several times in the past. This is a non-exhaustive list: 
The SEA 


In 2013 the Syrian Electronic Army, a group of Syrian hackers backing the Assad regime hacked into Truecaller’s 
website and claimed to have downloaded more than seven Truecaller databases with data worth 450GB. The 
SEA claimed it was able to exploit the website as it was based on an outdated wordpress platform and later 
published the database host ID, username and password”. 


Cheetah Mobile Security Research Lab 


In 2016 Cheetah Mobile Security Research Lab discovered that Truecaller only used a user’s IMEI number to 
authenticate users. The IMEI code allowed them to retrieve user details as well as modify account settings, add 
other users to block lists and delete block lists. It was also possible to write scripts to query random IMEI codes 
to find user details*®. 


The Economic Times Report 


In May 2019 a researcher reported that the mobile numbers and other user information of 300m Indian 
Truecaller users was for sale on the dark web. A spokesperson for Truecaller suggested that the data was 
obtained from within the app, corroborating our view that cracked versions of the app are a serious danger. 


s of data presented to us by the 
E ir rrespond to yaaa fields ne our users make available for sear 
app. The majority of the data that we analyzed did not match our systems. We beli 
‘itis possible that some malicious users have been abusing their Truecaller account in 


contravention of our terms of service to collect phone numbers." 


Figure 38 — Data Leaked for 300 Million Truecaller Users?” 


The data from the leak resurfaced in May 2020 when cyber risk firm Cyble identified a reputable seller selling 
the records of 47.5m Indian Truecaller records for only USD1,000*°. 


POC Malicious Link 


In November 2019 another researcher found a design flaw that allowed users to insert a malicious link in place 
of a profile picture to target attacks on other users viewing their profile’. 


35 https://timesofindia.indiatimes.com/tech-news/Truecaller-hacked-1-million-indians-data-at- 
risk/articleshow/21144470.cms 

36 https://news.softpedia.com/news/flaw-in-Truecaller-android-app-leaves-data-of-millions-of-users-exposed- 
502263.shtml 

37 https://www.bankinfosecurity.asia/researcher-data-leaked-for-300-million-Truecaller-users-a-12519 

38 https://blog.cyble.com/2020/05/26/47-5-million-indian-Truecaller-records-on-sale-for-only-1000, 

39 https://www.forbes.com/sites/zakdoffman/2019/11/24/critical-flaw-in-android-ios-phone-app-left-150-million-users-at- 
risk/?sh=6c54ef381ecO 


Viceroy Research Group 21 viceroyresearch.org 


The Angry Wizard 


A 2019 report by a developer by the name of AngryWizard claimed that Truecaller’s data was transmitted to 
external servers without user consent and that this data was easily accessible due to the method with which it 
was uploaded.” 


The report went on to claim that they were able to pull 30,000 contacts and names of scammers. At the time 
public and requiring no authentication, AngryWizard claimed they had access to over 10m identities**. They 
were also able to pull information on Truecaller users and non-users with their phone numbers. 


Angry Wizard also claimed the data was uploaded via GET, with screenshots to match: 


It makes a lot of API calls and contacts tons of domains. Your entire phonebook, contacts, etc 
also gets uploaded to their servers. Oh! And it's over "GET"? 


Go < ° Target httpsiisearchS-noneu.truecalier.com > 
Reques Response 


[aam] Params | Headers | Hex | Raw | Heoders | Hex | JSON Beautter | 


HITP/1.1 200 OF 


ne *SEARCHBESULTSYICHISTORYSZCDETAILSC | 


Figure 39 AngryWizard report on Truecaller 


Basically, anyone could pull entire data of all user uploads. Techpoint Africa reached out to Angry Wizard to test 
this: 


“The spam data is a community spam list, which is accessible to all our users and does not require the owner of the phone number 


to accept any terms,” he adds. 


To double-check these claims, on December 5, we sent two mobile numbers to the Wizard: one of a Truecaller user, and the other 


belonging to a non-Truecaller user and surprisingly, he sent back URLs containing information of both numbers. 


A day or two after, the links stopped working, so we briefly thought Truecaller had fixed the issue. But last week Friday, we received 


another link containing the same information from both numbers. 


Figure 40 — What exactly does Truecaller do with your data? — Techpoint Africa 


It is important to note that contact data pulled by Angry Wizard included European numbers. This vulnerability 
was exposed in 2019: after the implementation of GDPR. Viceroy are unable to ascertain if this is still an active 
breach, but would very much like to hear from the Angry Wizard. 


40 https://web.archive.org/web/20210204184354/https://techpoint.africa/wp-content/uploads/2019/12/Angry-Wizards- 
Truecaller-Explanation.pdf 
41 https://techpoint.africa/2019/12/18/Truecaller-data-developer-dive 
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The “Guardians” 


In 2021 Truecaller launched Guardians, designed to share a user’s location and other information with contacts 
for their safety. The app launched with a vulnerability that allowed malicious actors to log in to any account with 
their phone number and take over the account”. The bug allowed malicious actors to view family member 
details including live locations. 


In response the company said the issue was due to a development configuration being rolled out by mistake. 


We don’t doubt that more vulnerabilities will be discovered and that Truecaller’s cavalier approach to security 
is one reason the Indian government is looking at building its own alternative. 


The Caravan Article 


On March 9, 2022, Indian Investigative Journal “The Caravan” published a fantastic in-depth report on 
Truecaller’s invasive app and interviewed several concerned employees on exactly how much data the company 
was able to access”. 


Former employees claimed that Truecaller had access to user SMS messages and was able to build out a financial 
profile of each individual. In India most banking and transaction confirmations are done through SMS which 
Truecaller’s algorithm can read. 


Truecaller denies that any SMS data is processed on its servers and that all SMS filtering is done locally, 
nonetheless in 2019 a bug automatically created Unified Payments Interface accounts with ICICI bank for many 
Truecaller users. 


Public Interest Litigation 


A PIL case in the Bombay High Court against Truecaller appears to be going forward. The PIL alleged a breach of 
data privacy of the cell phone users related to Truecaller’s Unified Payment Interface failure“. 


Spy Agency Must-Haves 


On November 10, 2020 Privacy International reported that leaked training slides from the European Union 
Agency for Law Enforcement Training showed that government spy agencies were being recommended 
Truecaller as a method for identifying phone numbers. 


A session provided in Montenegro also seems to promote the use of TrueCaller — an app 
that ostensibly allows users to identify phone numbers so they can filter out calls, even if it is 
from anumber they have never encountered before, but which can also be utilised to 
identify people who have been uploaded to the TrueCaller database. 


Figure 41 — Revealed: The EU Training Regime Teaching Neighbours How to Spy — Privacy International 


42 https://thenextweb.com/news/Truecallers-guardian-app-fixes-bug-that-let-hackers-secretly-track-your-family 


44 https://timesofindia.indiatimes.com/business/india-business/bombay-hc-issues-notice-to-govt-npci-in-a-pil-over- 
truecaller-app/articleshow/84213800.cms 
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6. Competitive environments 
Truecaller faces a deteriorating competitive environment as larger players encroach on its territory. 


Government solutions 


On September 17*" it was reported that the Telecom Regulatory Authority of India’s caller ID feature would 
“show KYC-based names on the user’s phone”®, meaning instead of a Truecaller profiles identity, it would be 
the callers real identity. TRAI’s consultation paper, a TRAI official said, would be released within a month. 


The new Draft Indian Telecommunication Bill 2022 also makes provisions for a government-owned alternative 
to Truecaller. 


(2) The Central Government may prescribe the measures for protection of users 
from specified messages. Such measures may include measures relating to: 


Figures 42 & 43 — Draft Indian Telecommunication Bill 2022 and Explanatory Notes 


Further to snippets below, the bill makes now makes spamming an arrestable offence. Viceroy believe this will 
be a further significant deterrent to spammers. Less spam calls is bad for Truecaller business. 


Despite what Truecaller claims, we believe that the Indian government has every intention of supplanting it in 
its key market with a state-owned solution. The draft bill reading like a Truecaller design brief only reinforces 
our view. 


45 https://www.newindianexpress.com/business/2022/sep/17/trai-to-bring-out-consultation-paper-on-Truecaller-like-id- 
feature-within-month-2499023.html 
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Original Equipment Manufacturers 


Original Equipment Manufacturers (OEMs) have started rolling out their own spam and call filters. 


Google’s Android operating system now comes with caller ID and spam protection as standard on most 
compatible android devices. These are inbuilt to the Google dialer*® which comes as the preset dialer application 
for most android devices. Xiaomi, vivo, realme and oppo phones all come with Google dialers pre-installed. 
Truecaller has attempted to work around this through preloading the app on phones (referred to as preloads) 
but only has a 50% activation rate. 


Samsung’s dialer which comes as the preset dialer for its phones also has the Smart Call caller ID and spam 
protection with the option to activate Hiya, a Truecaller competitor service, for further protection. Originally 
rolled out in North America and Europe, the feature is now available in India”. 


The iPhone Issue 


Something widely acknowledged in Apple App store reviews of Truecaller is that the app just doesn’t work. This 
is due to Apple OS effectively locking Truecaller and other third parties out of the access required. A recent iOS 
rebuild was meant to improve performance on iPhones through Apple’s CallKit API but this seems to have failed 
with reviews since the update remaining overwhelmingly negative®. 


Q Search reviews All Ratings v AllVersions v  & Worldwide v Sep2- 26,2022 | Day v 


Overall Trend Rating 


REVIEWS SELECTED AVG RATING CUMULATIVE AVG RATING REVIEW BREAKDOWN 


1.6k 1.9 3.6 F : 


Figure 44 — data.ai Truecaller Apple App store ratings data from September 2, 2022 to September 26, 2022 


Former Truecaller employees noted that many who can afford Truecaller premium are moving to iPhones, but 
iPhone live access to Truecaller is hampered by Apple’s privacy protections: 


“On iPhones, there's no way you are the third party to get [live spam number data]. So that means that 
blocking a call as soon as it comes in is really hard unless Truecaller goes and says, okay, here are the 
list of spam numbers. So what happens is that has to be stored on the phone and only those can be 
blocked real time. 


All the others, the new spam numbers are such that will not get blocked automatically because that's 
not stored on your phone as a spam number, right? So when you get a call and then you realize that, 
okay, and then you search Truecaller, this happens to me all the time, I search Truecaller, then I find 
that, oh, this was a spam number.” 


- Tegus Interview (emphasis added) 


As stated above, we believe Truecaller’s user lookup functionality is in violation of Google’s privacy guidelines, 
while Google has historically been slow to adjust, we believe they are already moving in this direction with their 
recent ban on call recording and the effect it had on Truecaller’s functionality”’. 


46 https://play.google.com/store/apps/details?id=com.google.android.dialer&hl=en&gl=US 
47 https://www.samsung.com/in/apps/smart-call/ 
48 https://www.Truecaller.com/blog/features/Truecaller-for-iphone-revamped 

49 https://www.indiatoday.in/technology/news/story/Truecaller-no-longer-offers-call-recording-feature-here-is-how-to- 
auto-record-calls-1948224-2022-05-11 
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Over-the-top services 


Over-the-top services such as WhatsApp, are posing a greater threat to Truecaller through offering an alternative 
spam-free communication channel. Call blocking is set on by default unless a user has the caller registered as a 
contact. Former employees expressed a view that it would be impossible for Truecaller to supplant Whatsapp 
in India, or for the government to restrict Whatsapp. 


A transcript of a Tegus™ interview with a former Truecaller employee, sighted by Viceroy, stated the following 
stated the following: 


“I mean, totally, the typical Indian user, right? They're not sophisticated, not technical, but they know 
to use an app or two, right? And they are moving from phone app to WhatsApp. I mean, it's just in the 
last two years that this happened, like two, three years when data became cheap to almost free in 
India, right? It's extremely cheap right now in India to get the gigabytes of data per day. So, 
everybody is going to WhatsApp because of the seamless way you can communicate with 
attachments and so on. And in WhatsApp, you cannot get spams, right, because WhatsApp is very strict 
about regulating their platform, right? 


So, people are moving like crazy to WhatsApp, and | agree with you. It's one of the biggest threats to 
Truecaller, just like you have all these legal challenges, but | also think the behavior of users to 
moving to WhatsApp. Earlier, there were other messengers like Hike and LINE, but those have gone 
away now. 


It's only WhatsApp. It's like really ruling the Indian market, and it's getting stronger by the year. Like 
everybody who downloads a phone earlier might have downloaded Truecaller as one of the first few 
apps, but now it has completely shifted to WhatsApp, right? 


- Tegus Interview (emphasis added) 
India is the world’s largest WhatsApp market by far, with 487m users. 


In Brazil, WhatsApp has integrated many business functions with tech players and is a largely ubiquitous app. 
These services are due to arrive in India in the short term and will deteriorate Truecaller’s aspirations to become 
a serious B2B player. 


JioMart comes to WhatsApp; Zomato clarifies Eternal rebrand 


Published on 29 Aug, 2022 


Want this newsletter delivered to your inbox? 


Enter your email SUBSCRIBE 


More than two years after Meta picked up a 9.99% stake in 
Reliance’s Jio Platforms for Rs 43,574 crore, the two companies 
have announced that users in India will soon be able to browse 
and buy groceries from JioMart without leaving WhatsApp. It’s 
the first end-to-end shopping experience on the popular 
messaging app anywhere in the world, Meta CEO Mark 
Zuckerberg said. 


Figure 45 —JioMart comes to WhatsApp *4 


50 https://www.tegus.com/ 


51 https://economictimes.indiatimes.com/tech/newsletters/tech-top-5/jiomart-comes-to-whatsapp-byjus-receives-clean- 
fy21-audit/articleshow/93858982.cms?from=mdr 
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Truecaller spent USD ~$2m on R&D in 2021. 


7. Conclusion 


Viceroy believe Truecaller have evolved from many different failed shapes on something that finally makes 
money. Unfortunately, this shape appears to be non-compliant. 


We do not assign a target price to Truecaller but believe there is significant short & medium term downside as 
the app becomes redundant and regulatory breaches are enforced. 


Viceroy Research is short Truecaller. 
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8. Appendix 


Europe 


Effective May 25, 2018, General Data Protection Regulation (GDPR) went into effect in the European Economic 
Area (EEA)”?. Truecaller’s EU policy unequivocally states that: 


“We do not: store or share any personal information of contacts from Your address book...provide 
reverse number look up of contacts from Your address book” 


BRIEF SUMMARY: 


In simple terms: 


We process Your profile data (name, phone number etc.) and information about Your activity on the Truecaller 
application including device information, IP address and location to provide, improve, analyze and personalize the 
Services for You. We have enhanced our privacy center to provide You with more ability to access and control Your 
data. 


Subject always to obtaining your prior consent, we may: 


e provide your information to third parties (such as Google and advertising networks) to serve more relevant 
advertisements or special offers and promotions to You 


e provide Your availability status to other Users 


e allow other Users, at Your option, to either obtain your contact details or send a message to You to request Your 
contact details 


We do not: 


e store or share any personal information of contacts from Your address book 


e provide reverse number look up of contacts from Your address book 


Figure 46 — Truecaller Privacy Policy - EU% 


Former Truecaller employees told us that GDPR adoption in the EU effectively killed the app’s utility there, 
adding that Truecaller deleted all non-business data and moved their data centres to India as a consequence. 


“I think a very easy way to see that is what happened in EU, right? If you have subscription to things 
like App Annie or one of these sites, which show you the usage of apps in various geos, right? If you 
can go back and see there what happened to Truecaller in, let's say, Italy or Sweden or U.K. before 
and after GDPR. And you can see it. Like there's a sudden fall in rankings, and nobody downloads 
the app anymore. Because after that, it's only for businesses that are calling you, right? It's not for 
end users....” 
“So, which means about 90%, it's a guesstimate, of their data is unconsented, which means, in India, 
of the Indian population, also approximately 90%, maybe 80%, it's something in that range, is 
unconsented data. So, they may end up having to delete the data. Just like in Europe, they were 
forced to delete all the data, nonbusiness data.” 

- Tegus Interview (emphasis added) 


We were unable to verify that deletion of data obtained prior to GDPR was required but were able to verify that 
GDPR travels with the data: it applies regardless of geography. 
Nigeria 


In 2019 the National Information Technology Development Agency (NITDA) of Nigeria opened an investigation 
into alleged privacy breaches of over 7 million Nigerians by Truecaller. Their findings alleged 3 instances of 
Trucaller’s Privacy Policy as incompatible with Nigeria Data Protection Regulations (NDPR). 


52 EU countries an Iceland, Liechtenstein and Norway 
53 https://www.Truecaller.com/privacy-policy-eu 
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A month later at a conference NITDA’s Director General stated that Truecaller would “find ways to harmonise 
operations to comply with [NDPR].”>4. 


Truecaller’s Nigerian Privacy Policy, effective March 29, 2021, differs from the Rest of World policy in one key 
area: app downloads from the Apple App store or Google Play store will not access the user’s address book in 
any case. Users who obtain the app another way (preloaded on their phone, for example) will need to enable 
the enhanced search feature. 


Address book. If you have erated consent , we access the contacts in your address book . i li asa such access, 


Figure 47 - Třuecaller Privaċy. Policy - Nigeria” 


As of April 1, 2021, Nigeria has roughly 170m mobile phone users, though only 10-20% use smartphones™®. At 
the time of the NITDA’s investigation the agency reported that Truecaller had 7 million active users. We doubt 
that Truecaller will be able to grow further in Nigeria without paying heavily for preloaded installations on 
phones sold in the country. 


California 
Truecaller’s California privacy policy is largely the same as the EEA’s due to the California Consumer Privacy Act. 
Brazil 


Truecaller’s Brazil privacy policy effective October 8, 2021°’ specifically states that if the Truecaller app is 
downloaded from the Apple App or Google Play stores then “[Truecaller] does not receive, store or share any of 
the contact information in your address book”. 


South Africa 


Truecaller’s South Africa privacy policy effective July 1, 2021°° specifically states that if the Truecaller app is 
downloaded from the Apple App or Google Play stores then “[Truecaller] does not receive, store or share any of 
the contact information in your address book”. 


57 https://www. Truecaller.com/brazil-privacy-policy 


58 https://www.Truecaller.com/south-africa-privacy-policy 
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